Share
## https://sploitus.com/exploit?id=336099EB-D841-5918-884E-BDD159524698
# CVE-2026-31431 โ€” "Copy Fail" Research Repository

[![Severity: High](https://img.shields.io/badge/Severity-High-red)]()
[![CVSS: 7.8](https://img.shields.io/badge/CVSS%20v3.1-7.8%20HIGH-orange)]()
[![CVE](https://img.shields.io/badge/CVE-2026--31431-blue)](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
[![Release](https://img.shields.io/github/v/release/nisec-eric/cve-2026-31431?label=Release&color=green)](https://github.com/nisec-eric/cve-2026-31431/releases)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)

> **A 100% reliable Linux local privilege escalation affecting every mainstream distribution since 2017.**
>
> One logic bug in `authencesn`, chained through `AF_ALG` and `splice()` into a 4-byte page-cache write โ€” silently exploitable for nearly a decade.

## โš ๏ธ Disclaimer

**All code and documentation in this repository is provided exclusively for authorized security research and educational purposes.**

Running exploit code against systems you do not own or have explicit written authorization to test is illegal. By using this repository, you accept full responsibility for your actions.

---

## Overview

| Field | Detail |
|---|---|
| **CVE** | CVE-2026-31431 |
| **Alias** | Copy Fail |
| **Type** | Linux kernel local privilege escalation (LPE) / page-cache arbitrary write |
| **CVSS v3.1** | 7.8 HIGH โ€” `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
| **CWE** | CWE-669 (Incorrect Resource Transfer Between Spheres) |
| **Component** | `crypto/algif_aead` โ€” `authencesn` cryptographic template |
| **Introduced** | 2017 (commit `72548b093ee3`) |
| **Fixed** | Mainline commit `a664bf3d603d` (2026-04-01) |
| **Patched kernel** | v6.18.22+, v6.19.12+, v7.0+ |
| **Discoverer** | Xint / Theori (Taeyang Lee + Xint Code AI-assisted audit) |
| **Disclosure** | 2026-04-29 โ€” [copy.fail](https://copy.fail/) |

### Why Copy Fail is different

| | Typical Linux LPE | Copy Fail |
|---|---|---|
| Race condition | Required | **None** |
| Per-distro offsets | Required | **None** |
| Reliability | 30โ€“80% | **100%, single shot** |
| Affected window | Narrow | **2017 โ†’ 2026 (9 years)** |
| On-disk modification | Possible | **None (stealthy)** |
| Cross-container | No | **Yes** |

---

## Repository Structure

```
.
โ”œโ”€โ”€ README.md                          โ† You are here
โ”œโ”€โ”€ LICENSE                            โ† MIT
โ”œโ”€โ”€ .gitignore
โ”œโ”€โ”€ docs/
โ”‚   โ”œโ”€โ”€ analysis-report.md             โ† Comprehensive security analysis
โ”‚   โ”œโ”€โ”€ analysis-report.html           โ† Styled HTML version
โ”‚   โ”œโ”€โ”€ exploit-walkthrough.md         โ† Line-by-line PoC analysis
โ”‚   โ””โ”€โ”€ exploit-walkthrough.html       โ† Styled HTML version
โ””โ”€โ”€ poc/
    โ”œโ”€โ”€ README.md                      โ† PoC usage guide
    โ”œโ”€โ”€ copy_fail_exp.py               โ† Official PoC (732 bytes, obfuscated)
    โ”œโ”€โ”€ copy_fail_exp_readable.py      โ† Deobfuscated + annotated version
    โ”œโ”€โ”€ copy_fail_exp_compat.py        โ† Python 3.6+ compat (ctypes splice)
    โ”œโ”€โ”€ copy_fail_exp_alpine.py        โ† Alpine Linux variant
    โ”œโ”€โ”€ copy_fail_exp.go               โ† Go implementation (zero deps)
    โ”œโ”€โ”€ copy_fail_rust/                โ† Rust implementation
    โ”‚   โ”œโ”€โ”€ Cargo.toml
    โ”‚   โ””โ”€โ”€ src/main.rs
    โ”œโ”€โ”€ check_vulnerable.py            โ† Vulnerability scanner
    โ””โ”€โ”€ mitigate.sh                    โ† One-click mitigation script
```

---

## Quick Start

### Download pre-built release

```bash
# From GitHub Releases โ€” pre-built Go binary (Linux amd64/arm64) + all Python scripts
wget https://github.com/nisec-eric/cve-2026-31431/releases/latest/download/copy-fail-go-linux.tar.gz
wget https://github.com/nisec-eric/cve-2026-31431/releases/latest/download/copy-fail-python.tar.gz

tar xzf copy-fail-go-linux.tar.gz
tar xzf copy-fail-python.tar.gz

# Go static binary (no Python needed)
chmod +x copy-fail-exp-amd64
./copy-fail-exp-amd64

# Or use Python scripts directly
python3 check_vulnerable.py
```

> ๐Ÿ“ฆ Releases are auto-built via GitHub Actions on every `v*` tag push.
> Go binaries are cross-compiled for **linux/amd64** and **linux/arm64** with `CGO_ENABLED=0`.

### 1. Check if your system is vulnerable

```bash
python3 poc/check_vulnerable.py
```

### 2. Apply mitigation (no reboot required)

```bash
sudo bash poc/mitigate.sh
```

This blacklists the `algif_aead` kernel module โ€” breaks nothing for 99% of systems.

### 3. Patch properly โ€” upgrade your kernel

```bash
# Debian/Ubuntu
sudo apt update && sudo apt upgrade linux-image-*

# RHEL/CentOS/Fedora
sudo dnf update kernel

# Reboot into patched kernel
sudo reboot
```

### 4. Verify

```bash
python3 poc/check_vulnerable.py
# Exit code 1 = protected โœ“
```

---

## PoC Exploits

> **WARNING: Run only on systems you own or have authorization to test.**

| File | Language | Requirements | Notes |
|---|---|---|---|
| `copy_fail_exp.py` | Python 3.10+ | stdlib only | Official 732-byte PoC |
| `copy_fail_exp_compat.py` | Python 3.6+ | stdlib + ctypes | Works on CentOS 7, AL2 etc. |
| `copy_fail_exp_alpine.py` | Python 3.10+ | stdlib only | Targets `/bin/ping` on Alpine |
| `copy_fail_exp.go` | Go 1.21+ | stdlib only | Static binary, zero deps |
| `copy_fail_rust/` | Rust 1.70+ | libc + flate2 crates | Static binary |

```bash
# Python
python3 poc/copy_fail_exp.py
python3 poc/copy_fail_exp_compat.py        # Python < 3.10

# Go
go build -o exp ./poc/copy_fail_exp.go && ./exp

# Rust
cd poc/copy_fail_rust && cargo run --release
```

All versions accept an optional argument to target a different SUID binary:

```bash
python3 poc/copy_fail_exp.py /usr/bin/passwd
./exp /usr/bin/sudo
```

---

## Documentation

### ๐Ÿ“„ [Security Analysis Report](docs/analysis-report.md) ([HTML](docs/analysis-report.html))

Full vulnerability assessment covering:
- Technical root cause (scatterlist page provenance, `authencesn` scratch write)
- Affected versions and distribution patch status
- Remediation for bare-metal Linux, Kubernetes, Docker, WSL2
- Detection and monitoring guidance (auditd, SELinux, file integrity)
- Disclosure timeline

### ๐Ÿ“„ [Exploit Walkthrough](docs/exploit-walkthrough.md) ([HTML](docs/exploit-walkthrough.html))

Line-by-line PoC analysis covering:
- Complete deobfuscated source with annotations
- Kernel internals: `AF_ALG` socket flow, `splice()` page-cache delivery, `sg_chain()` mechanics
- The `authencesn` ESN scratch write that crosses scatterlist boundaries
- Payload analysis (160-byte ELF shellcode)
- Attack variants: `/etc/passwd` injection, shared library targeting, container escape
- Attack limitations and boundaries

---

## Impact by Environment

| Environment | Risk | Why |
|---|---|---|
| Multi-tenant Linux hosts | ๐Ÿ”ด High | Any user โ†’ root |
| Kubernetes / containers | ๐Ÿ”ด High | Shared page cache โ†’ container escape |
| CI runners (self-hosted) | ๐Ÿ”ด High | Malicious PR โ†’ runner root |
| Cloud SaaS (user code) | ๐Ÿ”ด High | Tenant โ†’ host root |
| Standard servers | ๐ŸŸก Medium | Chains with web RCE / stolen creds |
| Single-user laptops | ๐ŸŸข Low | Already the only user |

---

## Key References

- [copy.fail](https://copy.fail/) โ€” Official vulnerability page
- [Xint Blog โ€” Technical Writeup](https://xint.io/blog/copy-fail-linux-distributions) โ€” Root cause deep-dive
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
- [GitHub Advisory GHSA-2274-3hgr-wxv6](https://github.com/advisories/GHSA-2274-3hgr-wxv6)
- [Kernel Patch (commit a664bf3d603d)](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d)
- [Official PoC Repository](https://github.com/theori-io/copy-fail-CVE-2026-31431)
- [Red Hat Advisory](https://access.redhat.com/security/cve/cve-2026-31431) | [Ubuntu](https://ubuntu.com/security/CVE-2026-31431) | [SUSE](https://www.suse.com/security/cve/CVE-2026-31431.html) | [Amazon Linux](https://explore.alas.aws.amazon.com/CVE-2026-31431.html)

---

## Contributing

Contributions welcome:

- Additional PoC implementations (C, Zig, etc.)
- Distribution-specific test results
- Detection rules (Snort, Suricata, YARA, Sigma)
- Translations of documentation

Please open an issue or pull request.

## License

[MIT](LICENSE) โ€” Use responsibly.